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1. Introductions and apologies 


1.1. There were apologies from Elizabeth Denham who was 
unable to attend the meeting. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Matters arising from the previous meeting 


3.1. There was one outstanding action - to review the 
emergence of new frameworks for internal audit. Peter 
Bloomfield would report back to the Committee on this item 
at the end of the meeting in the absence of the internal 
auditors. 


4. Interim Deputy CEO update 


4.1. Paul Arnold provided an overview of important issues 
affecting his area of responsibility as Deputy CEO. This 
included progress in reviewing ICO governance and the 
development of the new Information Rights Strategy. Paul 
also highlighted the work being done on IT against a 
background of increasing caseload. 


4.2. Simon Entwisle highlighted the increase in high profile 
information rights cases. These were being tracked by the 
Senior Leadership Team. 


4.3. The success of the ICO's major Data Protection 
Practitioner’s Conference held yesterday in Manchester was 
also highlighted. An international case handler conference 
was being hosted by the ICO in the summer, also in 
Manchester. 


5. Finance 


5l; Paul Arnold summarised the position in respect of 
expected end of year finances. Whilst fee income remains 
fluctuating, as the ICO enters the last month of the final year 
the ICO was expecting a year end position as close to break 
even as possible whilst mitigating the risk of any over-spend. 


5.2. The Department for Culture, Media and Sport (DCMS), 
the ICO’s sponsoring department, had recently agreed to 
calculate the cash hand back at year end on an accruals 
basis. The ICO was not expecting to have to make a cash 
hand back this financial year. 


5.3. The DCMS had confirmed that an advance to the value 
of £1.4m would be provided to the ICO for 2017/18 to cover 
the anticipated shortfall of fee income against a higher than 


normal budget increase to support preparation for GDPR 
implementation. 


5.4. The Committee asked whether this agreement would 
cover any concerns the external auditors might have had as 
far as the ICO being a going concern. The NAO/BDO 
confirmed this was the case subject to their consideration of 
the detail. 


5: D; The ICO was expecting confirmation of its funding 
model for 2018/19 onwards in the near future. Many of the 
ICO’s financial risks would then be re-assessed as their status 
was expected to reduce. 


Action: Paul Arnold to provide the Non-executive 
Directors with information on the consultation on the 
new funding scheme prior to the consultation being 
launched. 


5.6. The Committee asked about the level of unpaid civil 
monetary penalties and the level of debt that was being 
written off. Simon Entwisle explained that the level of debt 
being written off was partly due to firms going into liquidation 
owing money to the ICO as a result of a civil monetary 
penalty. The ICO was robust in seeking to recover unpaid 
penalties and the area of work had recently been audited. 
The ICO had to balance the costs of chasing a debt with the 
chances of recovery, particularly as the ICO did not retain 
any of the penalties imposed. 


5.7. It was noted that directors of firms which went into 
liquidation could be disbarred from acting as directors in the 
future. The Committee felt that this possibility could be 
publicised more widely. 


Action: Paul Arnold to consider publicising the fact that 
directors could be disbarred if their company went into 
liquidation and did not pay its civil monetary penalty. 


5.8. At the last Committee meeting there had been 
discussion on the proposed Grants and Contributions scheme 
and whether funding under the scheme would be committed 
to this financial year. The Committee asked for an update. 


5.9. Paul Arnold advised that the scheme had been 
announced formally at the previous day’s conference and that 
requests for submissions would be invited early in the new 
financial year. Expenditure under the scheme would not 
therefore be committed this financial year but it was included 
in next year’s budget. 


5.10. Finally the Committee enquired about the large write off 
of assets. Heather Dove advised that this write off had 


followed discussion with the NAO following previous external 
audits about the write off of IT equipment. This discussion 
had resulted in a large write off and hence the drop in 
depreciation. It was also noted that in the future, as the ICO 
moves some of its IT services and systems into the cloud, its 
fixed assets will continue to reduce. 


6. Reporting on fraud, whistleblowing and security incidents 


6.1. Peter Bloomfield introduced the quarterly report. This 
providing top line figures on incidents of fraud, 
whistleblowing and security failings. 


6.2. The Committee had requested a more detailed drill 
down on security incidents. Paul Arnold introduced a paper 
providing greater detail. 


6.3. The majority of security incidents at the ICO are 
accidental disclosures of personal data, for example 
correspondence being sent to the wrong address. The ICO 
had done much to encourage the reporting of actual incidents 
and near misses. 


6.4. In this the ICO is probably no different from those we 
regulate. It is a challenging area and one which requires 
vigilance and continual improvement. And in terms of system 
improvement, the ICO was moving towards requiring the 
double entry of email addresses to help ensure accuracy. It 
was also investing in staff training and development. 


6.5. In light of the new casework system being rolled out 
later this calendar year it was agreed to re-visit the issue of 
accidental disclosures at the September meeting. 


Action: Peter Bloomfield to add to the agenda for the 
September meeting an update on accidental 
disclosures of personal data by the ICO. 


6.6. It was confirmed that none of the incidents would have 
necessitated action by the ICO as the regulator. In addition 
the ICO was considering including information on accidental 
disclosures within the active disclosure policy. This approach 
was supported by the Committee. 


7. Risk register 


7.1. Peter Bloomfield introduced the risk register. This had 
been updated to reflect the reduction in risk status associated 
with finance and GDPR implementation. The risk register 
would be more fully reviewed once the Information Rights 


Strategy had been updated, both in content and format. 
There would also be an emphasis on opportunity as well as 
risk. 


7.2. In respect of GDPR implementation Simon Entwisle 
advised that risks in this area would reduce as decisions on 
legislation were made and taken forward. There might 
however be other risks that arise in implementing GDPR 
across the EU. 


7.3. Ailsa highlighted to the Committee that the 
Management Board would be considering risk appetite as part 
of the review of ICO risks. 


8. Outstanding audit recommendations 


8.1. Peter Bloomfield introduced the register of outstanding 
audit recommendations. Since collating the report the 
Management Agreement with the DCMS had been signed off. 


8.2. There was a further late recommendation relating to 
password controls on the procurement system. Paul Arnold 
advised that making the system change could impact on year 
end work and it was proposed to delay this change till the 
early summer. 


Action: Paul Arnold to consider the wording of the 
management response to this recommendation. 


Action: Heather Dove to consider the external audit 
recommendation on finance system access and to 
confirm whether it was linked to the above internal 
audit recommendation. 


Action: Paul Arnold and Peter Bloomfield to consider 
the process for agreeing and clearing audit 
recommendations to help ensure senior management 
review. 


9. Internal audit 


Audit plan update 


9.1. Paul Eckersley provided an update on progress in 
meeting the internal audit plan. It was confirmed that the 
audit plan would be completed by the year end. 


IT asset management reviews 


9.2. Both reviews (part | and II) had been finalised. Part | 
looked at how processes were designed; part II at how the 
controls were actually working. Recommendations had been 


made on the processes but the second review had confirmed 
that the asset management processes were being well 
managed. 


People Strategy review 


9.3. This review had looked at how well Organisational 
Development was prepared for the amount of recruitment it 
expected to have to do to help the IC prepare for GDPR 
implementation. 


9.4. The Committee was concerned as to the long timescales 
to clear the recommendations suggested by the management 
response. Paul Arnold considered that uncertainties at the 
time of the audit over dependencies has resulted in the long 
timescales being given. Some of the uncertainties had since 
been firmed up on. 


9.5. The Committee also expressed the view that 
responsibility for agreeing and meeting the recommendations 
was possibly wider than just Organisational Development. 
Management agreed. 


9.6. Given the timescales for implementing 
recommendations the Committee requested an update. Paul 
Arnold explained that he would be reporting on this area at 
the May Management Board and would report back to the 
June Audit Committee on this as well. 


Action: Paul Arnold to report back to Audit Committee 
at its June meeting on the management response to 
the People Strategy review. 


Investigations review 


9.7. The investigations review required more consideration 
of the management response and a final response would be 
brought to the next Audit Committee. 


Action point: Simon Entwisle to consider the 
management response further and to discuss with 
Grant Thornton to allow the review to be finalised at 
the next Committee meeting. 


Follow up review 


9.8. Grant Thornton confirmed a clear review with just minor 
recommendations relating to the clearance of audit 
recommendations by the ICO. 


Draft internal audit plan 2017/18 

9.9. Paul Eckersley advised that there had been early 
discussion with management over areas to review in 2017/18 
and some further discussion at the ICO. Presented to the 


Committee were early ideas to be firmed up over the next 
month. 


9.10. Areas flagged up for possible audit included GDPR 
preparation and cyber security. 


9.11. Paul Arnold highlighted the existing independent IT 
assurance process which could provide assurance to the 
Committee in this area. It was suggested that the Committee 
could look at this area in more depth. 


Action: Paul Arnold to provide the Committee with 
more information on the existing IT assurance 
processes at the next Audit Committee meeting. 


10. External audit 


10.1. The BDO/NAO provided a report on their interim audit 
work. There were no areas of major concern identified. 


10.2. The relationship between the BDO and NAO was 
explained. The C&AG is the statutory auditor and gives the 
final audit opinion. However the NAO contracts out its audit 
work in some cases and BDO were contracted to do the ICO 
audit work. 


10.3. The outstanding external audit recommendation relating 
to access to the procurement system was noted here (see 
action under 8.2). 


11. Audit Committee annual report 2016-17 


11.1. The draft Audit Committee annual report 2016-17 was 
noted. This report articulated the Committee’s assurance to 
the Commissioner as Accounting Office as to how well the 
organisation was managed. The final draft would be agreed 
by the Committee at its next meeting in J une. 


12. ICO annual report and accounts 2016-17 


12.1. Peter Bloomfield presented the template and timetable 
for the ICO Annual Report and Accounts 2016-17. A near final 
draft would be brought to the next Committee meeting in 
June for sign off. 


12.2. The template was a work in progress. 


12.3. It was confirmed that there was potential to make some 
changes to the report section of the document. 


13. Any other urgent business 


13-1; Ailsa Beaton fed back to the Committee on her meeting 
with other audit chairs at the DCMS. There was interest in 
what the NAO and DCMS thought Audit Committees should 
be looking at and at the role of the Non-executive Directors 
in the public sector compared to with those in the private 
sector. 


13.2. The Committee thanked Sally Hanson for her work as 
interim Head of Finance. 


